diff --git a/chef/cookbooks/bind9/recipes/default.rb b/chef/cookbooks/bind9/recipes/default.rb
index 745e1fae97..6c0f941122 100644
--- a/chef/cookbooks/bind9/recipes/default.rb
+++ b/chef/cookbooks/bind9/recipes/default.rb
@@ -293,7 +293,8 @@ def make_zone(zone)
   end
 end
 
-# We would like to bind service only to ip address from admin network
+# We would like to bind service only to ip address from admin network unless enable_designate is
+# enabled. In which case bind both the admin and public.
 admin_network = Chef::Recipe::Barclamp::Inventory.get_network_by_type(node, "admin")
 admin_addr = admin_network.address
 
@@ -390,10 +391,20 @@ def make_zone(zone)
 
 ### FIXME Change to "any" once IPv6 support has been implemented
 admin_addr6 = "none"
+public_addr6 = "none"
 if node[:dns][:enable_designate] && !node[:dns][:master]
   node[:dns][:forwarders].push master_ip
 end
 
+ipaddresses = [admin_addr]
+ip6addresses = [admin_addr6]
+if node[:dns][:enable_designate]
+  public_addr = Chef::Recipe::Barclamp::Inventory.get_network_by_type(node, "public").address
+  public_addr = nil if admin_addr == public_addr
+  ipaddresses << public_addr unless public_addr.nil?
+  ip6addresses << public_addr6 unless public_addr6 == "none"
+end
+
 # Rewrite our default configuration file
 template "/etc/bind/named.conf" do
   source "named.conf.erb"
@@ -402,8 +413,8 @@ def make_zone(zone)
   group bindgroup
   variables(forwarders: node[:dns][:forwarders],
             allow_transfer: allow_transfer,
-            ipaddress: admin_addr,
-            ip6address: admin_addr6,
+            ipaddresses: ipaddresses,
+            ip6addresses: ip6addresses,
             enable_designate: node[:dns][:enable_designate] && node[:dns][:master]
            )
   notifies :restart, "service[bind9]", :immediately
diff --git a/chef/cookbooks/bind9/templates/default/named.conf.erb b/chef/cookbooks/bind9/templates/default/named.conf.erb
index 5664bae394..2e8c83e6bc 100644
--- a/chef/cookbooks/bind9/templates/default/named.conf.erb
+++ b/chef/cookbooks/bind9/templates/default/named.conf.erb
@@ -39,8 +39,8 @@ options {
         };
 <% end -%>
         auth-nxdomain no;    # conform to RFC1035
-        listen-on { <%= @ipaddress %>; };
-        listen-on-v6 { <%= @ip6address %>; };
+        listen-on { <%= @ipaddresses.join("; ") %>; };
+        listen-on-v6 { <%= @ip6addresses.join("; ") %>; };
         minimal-responses yes;
         allow-new-zones yes;
 };
diff --git a/crowbar_framework/app/models/dns_service.rb b/crowbar_framework/app/models/dns_service.rb
index beeea82baf..5dc6835a07 100644
--- a/crowbar_framework/app/models/dns_service.rb
+++ b/crowbar_framework/app/models/dns_service.rb
@@ -113,6 +113,13 @@ def apply_role_pre_chef_call(old_role, role, all_nodes)
     return if all_nodes.empty?
 
     tnodes = role.override_attributes["dns"]["elements"]["dns-server"]
+    # If designate is enabled, we need each DNS node to be attached to the public network.
+    net_svc = NetworkService.new @logger
+    tnodes.each do |node|
+      if role.default_attributes[:dns][:enable_designate]
+        net_svc.allocate_ip "default", "public", "host", node
+      end
+    end
     nodes = tnodes.map { |n| Node.find_by_name(n) }
 
     if nodes.length == 1